The following issues were resolved:

[-] If a reseller’s customers were prohibited to change the name of their system user, then all subscriptions created for the customers through the API-XML interface did not provide web hosting facilities. (PPPM-1995)

[-] (Windows) Migration of subdomains failed if the main domain’s name contained capital letters. (PPPM-2510)

[-] The FTP service stopped after Plesk updates were installed. (PPPM-2503)

[-] It was impossible to set up FTP settings and create backups in the FTP repository for users like 'SERVER\username'. (PPPM-2331)

[-] Moving the virtual hosts directory (HTTPD_VHOSTS_D) to another location by using the script /usr/local/psa/bin/transvhosts.pl failed on Ubuntu 14. (PPPM-2360)

[-] Sometimes the Comodo ModSecurity rule set failed to update with the error 404 Not found. (PPPM-2374)

[-] (Windows) The script '..\Perl\site\bin\sa-learn' was absent on new installations of Plesk 12.

[-] The Change Settings page of the WordPress Toolkit failed to open on customer subscriptions in the Plesk installations where there were no administrator’s subscriptions. A PHP fatal error occurred. (PPPM-2391)

A complete list of changes can be found here:

During a code audit performed internally at Qualys a heap-based buffer overflow was found in glibc's "__nss_hostname_digits_dots()" function, which is used by the gethostbyname()
and gethostbyname2() glibc function calls.

Impact

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

During a code audit performed internally at Qualys a heap-based buffer overflow was found in glibc's "__nss_hostname_digits_dots()" function, which is used by the gethostbyname()
and gethostbyname2() glibc function calls.

Impact

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

Installation Instructions

A complete list of changes can be found here:

]]>3603025 Dec 2014 13:01:09 GMThttp://kb.sp.parallels.com/en/123953
Failure to place limits on delegation chaining can allow an attacker to crash BIND or cause memory exhaustion.

Situation

By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.).

A complete list of changes can be found here:

Please read this message in its entirety and take the recommended actions.

Situation

A critical security vulnerability in Parallels Plesk for Windows was recently identified that may allow authorized users to gain access to other customers’ data on the same Plesk server. This security vulnerability is limited to Plesk on Windows servers only.

Impact

An authorized Plesk user is able to access other customers’ data on the same Windows server.

Solution

To close the vulnerability, install the latest available Plesk update for your version.

Call to Action

Install the Plesk security update following the instructions provided in the Parallels Knowledgebase articles below:

If you are running an earlier version of Plesk for Windows, we strongly recommend that you upgrade these instances following the instructions provided in the Parallels Plesk Panel upgrade guide article.

Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

We also strongly encourage you to stay connected to Parallels for important product-related information via these methods:

20th of November WordPress reported in their blog that WordPress 4.0.1 is now available. This is a critical security release for all previous versions and they strongly encourage wordpress administrators to update sites immediately.

Impact

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. For the details please check original post on Wordpress blog.

Solution

Wordpress as an APS package is available for installation using following Parallels products, here is the list of articles which you may refer to

What's Changed

The following issues were resolved:

[-] After upgrading to Plesk 12, the default texts of Plesk 12 notifications were overwritten with incorrect values if custom PHP directives were added to service plan settings. (PPPM-2190)

[-] Subscription backups could not be restored if they contained unnecessary references to a PostgreSQL server. The following error occurred: "Unable to resolve all conflicts". (PPPM-1474)

[-] When users logged in to Plesk with the Dutch locale, information about mailbox sizes was shown in wrong units (KM instead of KB, MM instead of MB). (PPPM-2062)

[-] (Linux) Mail sent to a mailing list could not be delivered to all recipients if the number of recipients exceeded the limit on outgoing mail messages per hour. Now such messages will remain in the mail queue and will be delivered to the remaining recipients in the next hours. (PPP-11577)

[-] (Linux) Backing up and restoration of subscriptions could fail if custom files or folders were placed in a subscription's root directory (not in httpdocs or an add-on domain's folder). (PPPM-1925)

Impact

Microsoft has revealed a vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When the security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

Impact

The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. According to Microsoft security bulletin at the time it was issued, there was no information to indicate that this vulnerability had been publicly used to attack customers.

This security update is rated Critical for all supported releases of Microsoft Windows.

Resolution

Please check the network adapter installed in system. If it is "Parallels Virtual Network Adapter", then you are inside Parallels Virtuozzo Container; please proceed with the instructions from the corresponding article. Otherwise, please proceed with step 2.

To close the vulnerability on physical hosts and virtual machines simply install the security patch from Windows Update. If you are not the owner of the physical host, contact the service provider with the request to have the vulnerability closed.

Impact

The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. According to Microsoft security bulletin at the time it was issued, there was no information to indicate that this vulnerability had been publicly used to attack customers.

This security update is rated Critical for all supported releases of Microsoft Windows.

Resolution

To close the vulnerability on Windows-based hosts install the security patch from Windows Update.

For specific Parallels products, here is the list of articles which you may refer to:

Legend:

Installation Instructions

]]>3508906 Nov 2014 05:32:22 GMThttp://kb.sp.parallels.com/en/123357
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 were detected.

Situation

29th of October Drupal also issued Security Advisory PSA-2014-003 with recommendation to recover all potentially sites from backup unless patch was applied within hours of the announcement of SA-CORE-2014-005: https://www.drupal.org/PSA-2014-003

Impact

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

Solution

Drupal as an APS package is available for installation using following Parallels products, here is the list of articles which you may refer to

What's Changed

[*] - (Windows) Added the option to set up a server-wide soft limit for Microsoft SQL database quota and MySQL database quota limits. The default limit value is 85% of the hard limit you specify. To modify the soft limit percentage, insert the following line into the panel.ini file, into the [databaseManagement] block (it should be a positive value without the percent sign):

If you are NOT vulnerable, your output should look something like this:

curl: (35) SSL connect error

If you ARE vulnerable, you will see normal connection outputs, potentially including the line:

SSL 3.0 connection using ...

Resolution

Although the possibility to exploit this vulnerability is quite low, the simplest way is to disable SSL 3.0 - this obsoleted protocol version is being used for compatibility needs and is not required for Parallels products.

For specific Parallels products, here is the list of articles which you may refer to:

What's Changed

The following improvement has been made:

[*] Administrators can now set a server-wide limit on the number of scheduled backups that can be stored in one repository. The limits of all subscriptions and accounts are reduced to the server-wide value, if such a value is specified. The newly created subscriptions and accounts will have the specified limit by default. Users cannot set a greater limit than the server-wide one. (PPP-10831)

The following issues have been resolved:

[-] If users logged in using rsession, the Plesk interface language was English, even if these users previously selected another language in Interface Settings. (PPP-11069)[-] (Linux) In Plesk 12.0, temporary backup files were stored in /tmp by default. This could cause the server not to respond if the size of backup files was bigger than the size of the directory. Temporary backup files are now stored in /usr/local/psa/PMM/tmp. (PPP-11008)[-] (Linux) After the user had enabled the Atomic rule set for ModSecurity (web application firewall), ModSecurity (web application firewall) stopped working. (PPP-11007)[-] Users could not restore the default DNS zone settings for domain aliases. The Restore the DNS Zone form did not appear. (PPP-10974)[-] (Linux) Plesk installed on OpenVZ containers could not be configured after the upgrade to 12.0 because of the missing directory /dev/shm. (PPP-10830, PPPM-1655)[-] (Linux) The Awstats statistics of the last day of the month was calculated incorrectly. (PPP-8850, PPPM-1486)

What's Changed

The following issues have been resolved:

[-] Users could not access the website folder for managing files of the website if Classic List was selected in Websites & Domains > Domains List Settings. The following error occurred: "Invalid URL was requested". (PPP-10818)[-] (Linux) Administrators could not create a backup of the server. The error message about the wrong format of the backup file appeared. (PPP-10804)[-] The administrator's interface language switched back to default (English) after visiting the Tools & Settings > Backup Manager > Scheduled Backup Setting screen. (PPP-10784, PPPM-1738)[-] If users customized their domain PHP settings and then the administrator modified other settings on their subscription, the domain PHP setting changed back to default. (PPP-10744, PPPM-1779)[-] (Linux) Administrators could not migrate reseller's subscriptions without migrating the reseller. (PPP-10691, PPPM-1754)[-] (Windows) On Windows 2012 x64, Plesk administrators could not install a Plesk license key on Plesk inside a Hyper-V virtual machine. The error saying that the license key is invalid occurred.[-] (Windows) Administrators could not migrate domains with a remote MSSQL database if the MSSQL server was running on any port other than default 1433. (PPP-10800, PPPM-1802)

For Windows

This affects Parallels Containers for Windows with installed Parallels Dispatcher for management by PACI, and few components are compiled with vulnerable OpenSSL version. Updated OpenSSL will be included in the next hotfix.

For Linux

This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:

The package version for Redhat/CentOS and Fedora can be checked using the command:

~# rpm -q openssl

Resolution

Hardware node update

Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must apply OpenSLL updates by installing new openssl package version:

~# yum clean all; yum update openssl

Note: PSBM, PCS and PVC for Windows use SSL for internal communication with Dispatcher only, this significantly decreases risk of compromise but anyway it is highly recommended to apply fixes for SSL as it might be used by some other 3rd party services.

PVA Power Panel and PVA MN

Parallels Virtual Automation uses not vulnerable version of OpenSSL, and also it uses system OpenSSL for web-based services via Apache.

PVA Power Panel uses Apache web-server running on the host, update OpenSSL and restart of Apache on the hardware node is needed:

~# service httpd restart

PVA Management Node uses Apache and OpenSSL of the system it is installed into, update the installation according to its type and restart services:

in a container:

~# vzctl update CTID

in a virtual machine or on a physical server:

~# yum clean all; yum update

Applying fix to containers

For existing containers:

~# vzpkg update CTID

or a single package specifically:

~# vzpkg install CTID -p openssl

Operating system template cache(s) should be recreated:

~# vzpkg update cache DISTR-VER-ARCH

After the update is applied all the services relying on OpenSSL should be restarted:

Restart SSH server, OpenVPN, Apache.

Restart any other services running on the host operating system dependent on OpenSSL.